Flaws in Secure Messaging App Telegram Expose Chats

Telegram, the popular cross-platform messaging app said to be built with a focus on speed and security, is plagued by some serious vulnerabilities that can be exploited to gain access to users’ messages, researchers reported on Monday.

The application, which as of December 2014 had 50 million users, is considered highly secure. Secret Chats, one-on-one chats wherein all messages are encrypted with a key held only by the participants, have a maximum score on the Electronic Frontier Foundation’s secure messaging scorecard. The EFF has credited Telegram for undergoing a code audit in February 2015.

The developers of Telegram seem to be highly confident in their encryption system. The company has even launched two contest offering $200,000 and, more recently, $300,000 for hacking the encryption protocol. Both rounds ended with no winners.

However, according to Zuk Avraham, founder and CTO of enterprise mobile security firm Zimperium, the messaging app is not as secure as it claims to be. After conducting some tests on the Telegram app for Android, the researcher determined that there are at least two methods that can be leveraged to bypass encryption and obtain messages.

The attack described by Avraham starts with the attacker gaining complete control of the targeted Android smartphone by leveraging a kernel exploit to elevate privileges. Once the attacker is in control, he can dump process memory and gain access to any file stored on the device.

The researcher discovered that the memory dump for the Telegram process contains the messages sent through Secret Chat in clear text. But this is not the only way to access users’ communications. Avraham identified a database file (Cache4.db) containing tables that store the secret messages in plain text.

Telegram users can delete their messages by using a special function in the app. While deleted messages are removed from the database file, they can still be retrieved from the process memory, the expert said.

Telegram has a special email address for reporting security holes, but Avraham says the company has ignored his reports for more than a month now. The vulnerability details have been made public after Zimperium’s 30-day disclosure deadline expired.

“While Telegram was founded upon a noble goal of providing privacy to consumers everywhere at no cost, they have fallen short of their objective by focusing purely on data-in-transit versus protecting data-at-rest on the mobile device itself. What is regrettable is that I approached Telegram multiple times and have yet to receive a response,” Avraham explained in a blog post.

“Telegram’s so-called powerful encryption is not protecting users any better than any other page or app that uses SSL. If you are using Telegram because you want to ensure your privacy and the privacy of the messages you are sending, be aware that it will not stop sophisticated hackers from reading your messages. We highly recommended adding additional protection to your mobile device that can detect device-level cyberattacks.”

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.